This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP Internet of Things Project"

From OWASP
Jump to: navigation, search
Line 192: Line 192:
  
 
= IoT Testing Guides =
 
= IoT Testing Guides =
 +
 +
== Tester IoT Security Guidance ==
 +
 +
(DRAFT)
 +
 +
The goal of this page is to help testers assess IoT devices and applications in the Internet of Things space. The guidance below is at a basic level, giving testers of devices and applications a basic set of guidelines to consider from their perspective. This is not a comprehensive list of considerations, and should not be treated as such, but ensuring that these fundamentals are covered will greatly improve the security of any IoT product.
 +
 +
{| border="1" class="wikitable" style="text-align: left"
 +
! Category
 +
! IoT Security Consideration
 +
|-
 +
| '''I1: Insecure Web Interface'''
 +
|
 +
* Assess any web interface to determine if weak passwords are allowed
 +
* Assess the account lockout mechanism
 +
* Assess the web interface for XSS, SQLi and CSRF vulnerabilities and other web application vulnerabilities
 +
* Assess the use of HTTPS to protect transmitted information
 +
* Assess the ability to change the username and password
 +
* Determine if web application firewalls are used to protect web interfaces
 +
|-
 +
| '''I2: Insufficient Authentication/Authorization'''
 +
|
 +
* Assess the solution for the use of strong passwords where authentication is needed
 +
* Assess the solution for multi-user environments and ensure it includes functionality for role separation
 +
* Assess the solution for Implementation two-factor authentication where possible
 +
* Assess password recovery mechanisms
 +
* Assess the solution for the option to require strong passwords
 +
* Assess the solution for the option to force password expiration after a specific period
 +
* Assess the solution for the option to change the default username and password
 +
|-
 +
| '''I3: Insecure Network Services'''
 +
|
 +
* Assess the solution to ensure network services don't respond poorly to buffer overflow, fuzzing or denial of service attacks
 +
* Assess the solution to ensure test ports are are not present
 +
|-
 +
| '''I4: Lack of Transport Encryption'''
 +
|
 +
* Assess the solution to determine the use of encrypted communication between devices and between devices and the internet
 +
* Assess the solution to determine if accepted encryption practices are used and if proprietary protocols are avoided
 +
* Assess the solution to determine if a firewall option available is available
 +
|-
 +
| '''I5: Privacy Concerns'''
 +
|
 +
* Assess the solution to determine the amount of personal information collected
 +
* Assess the solution to determine if collected personal data is properly protected using encryption at rest and in transit
 +
* Assess the solution to determine if Ensuring data is de-identified or anonymized
 +
* Assess the solution to ensure end-users are given a choice for data collected beyond what is needed for proper operation of the device
 +
|-
 +
| '''I6: Insecure Cloud Interface'''
 +
|
 +
* Assess the cloud interfaces for security vulnerabilities (e.g. API interfaces and cloud-based web interfaces)
 +
* Assess the cloud-based web interface to ensure it disallows weak passwords
 +
* Assess the cloud-based web interface to ensure it includes an account lockout mechanism
 +
* Assess the cloud-based web interface to determine if two-factor authentication is used
 +
* Assess any cloud interfaces for XSS, SQLi and CSRF vulnerabilities and other vulnerabilities
 +
* Assess all cloud interfaces to ensure transport encryption is used
 +
* Assess the cloud interfaces to determine if the option to require strong passwords is available
 +
* Assess the cloud interfaces to determine if the option to force password expiration after a specific period is available
 +
* Assess the cloud interfaces to determine if the option to change the default username and password is available
 +
|-
 +
| '''I7: Insecure Mobile Interface'''
 +
|
 +
* Assess the mobile interface to ensure it disallows weak passwords
 +
* Assess the mobile interface to ensure it includes an account lockout mechanism
 +
* Assess the mobile interface to determine if it Implements two-factor authentication (e.g Apple's Touch ID)
 +
* Assess the mobile interface to determine if it uses transport encryption
 +
* Assess the mobile interface to determine if the option to require strong passwords is available
 +
* Assess the mobile interface to determine if the option to force password expiration after a specific period is available
 +
* Assess the mobile interface to determine if the option to change the default username and password is available
 +
* Assess the mobile interface to determine the amount of personal information collected
 +
|-
 +
| '''I8: Insufficient Security Configurability'''
 +
|
 +
* Assess the solution to determine if password security options (e.g. Enabling 20 character passwords or enabling two-factor authentication) are available
 +
* Assess the solution to determine if encryption options (e.g. Enabling AES-256 where AES-128 is the default setting) are available
 +
* Assess the solution to determine if logging for security events is available
 +
* Assess the solution to determine if alerts and notifications to the user for security events are available
 +
|-
 +
| '''I9: Insecure Software/Firmware'''
 +
|
 +
* Assess the device to ensure it includes update capability and can be updated quickly when vulnerabilities are discovered
 +
* Assess the device to ensure it uses encrypted update files and that the files are transmitted using encryption
 +
* Assess the device to ensure is uses signed files and then validates that file before installation
 +
 +
|-
 +
| '''I10: Poor Physical Security'''
 +
|
 +
* Assess the device to ensure it utilizes a minimal number of physical external ports (e.g. USB ports) on the device
 +
* Assess the device to determine if it can be accessed via unintended methods such as through an unnecessary USB port
 +
* Assess the device to determine if it allows for disabling of unused physical ports such as USB
 +
* Assess the device to determine if it includes the ability to limit administrative capabilities to a local interface only
 +
|}
 +
 +
===General Recommendations===
 +
 +
Consider the following recommendations for all user interfaces (local device, cloud-based and mobile):
 +
* Avoid potential Account Harvesting issues by:
 +
** Ensuring valid user accounts can't be identified by interface error messages
 +
** Ensuring strong passwords are required by users
 +
** Implementing account lockout after 3 - 5 failed login attempts
 +
  
 
= Top IoT Vulnerabilities =
 
= Top IoT Vulnerabilities =

Revision as of 21:20, 7 August 2015

OWASP Project Header.jpg

OWASP Internet of Things (IoT) Project

Oxford defines the Internet of Things as: “A proposed development of the Internet in which everyday objects have network connectivity, allowing them to send and receive data.”

The OWASP Internet of Things Project is designed to help manufacturers, developers, and consumers better understand the security issues associated with the Internet of Things, and to enable users in any context to make better security decisions when building, deploying, or assessing IoT technologies.

The project looks to define a structure for various IoT sub-projects such as Attack Surface Areas, Testing Guides and Top Vulnerabilities.

Licensing

The OWASP Internet of Things Top 10 is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.


Share this:  E-mail this story Bookmark with Facebook Share on Digg.com Share on delicious Share on reddit.com Share on stumbleupon.com Share on LinkedIn.com Share on twitter.com Seed on Newsvine

What is the OWASP Internet of Things Project?

The OWASP Internet of Things Project provides:

  • IoT Attack Surface Areas
  • IoT Testing Guides
  • Top IoT Vulnerabilities

Project Leaders

  • Daniel Miessler
  • Craig Smith

Related Projects

Email List

Quick Download

News and Events

Classifications

Owasp-incubator-trans-85.png Owasp-builders-small.png
Owasp-defenders-small.png
Cc-button-y-sa-small.png
Project Type Files DOC.jpg
OWASP Project Header.jpg


The OWASP IoT Attack Surface Areas (DRAFT) are as follows:

Attack Surface Vulnerability
Ecosystem Access Control
  • Implicit trust between components
  • Enrollment security
  • Decommissioning system
  • Lost access procedures
Device Memory
  • Cleartext usernames
  • Cleartext passwords
  • Third-party credentials
  • Encryption keys
Device Physical Interfaces
  • Firmware extraction
  • User CLI
  • Admin CLI
  • Privilege escalation
  • Reset to insecure state
Device Web Interface
  • SQL injection
  • Cross-site scripting
  • Username enumeration
  • Weak passwords
  • Account lockout
  • Known credentials
Device Firmware
  • Hardcoded passwords
  • Sensitive URL disclosure
  • Encryption keys
Device Network Services
  • Information disclosure
  • User CLI
  • Administrative CLI
  • Injection
  • Denial of Service
Administrative Interface
  • SQL injection
  • Cross-site scripting
  • Username enumeration
  • Weak passwords
  • Account lockout
  • Known credentials
Local Data Storage
  • Unencrypted data
  • Data encrypted with discovered keys
  • Lack of data integrity checks
Cloud Web Interface
  • SQL injection
  • Cross-site scripting
  • Username enumeration
  • Weak passwords
  • Account lockout
  • Known credentials
Third-party Backend APIs
  • Unencrypted PII sent
  • Encrypted PII sent
  • Device information leaked
  • Location leaked
Update Mechanism
  • Update sent without encryption
  • Updates not signed
  • Update location writable
Mobile Application
  • Implicitly trusted by device or cloud
  • Known credentials
  • Insecure data storage
  • Lack of transport encryption
Vendor Backend APIs
  • Inherent trust of cloud or mobile application
  • Weak authentication
  • Weak access controls
  • Injection attacks
Ecosystem Communication
  • Health checks
  • Heartbeats
  • Ecosystem commands
  • Deprovisioning
  • Pushing updates
Network Traffic
  • LAN
  • LAN to Internet
  • Short range
  • Non-standard

Tester IoT Security Guidance

(DRAFT)

The goal of this page is to help testers assess IoT devices and applications in the Internet of Things space. The guidance below is at a basic level, giving testers of devices and applications a basic set of guidelines to consider from their perspective. This is not a comprehensive list of considerations, and should not be treated as such, but ensuring that these fundamentals are covered will greatly improve the security of any IoT product.

Category IoT Security Consideration
I1: Insecure Web Interface
  • Assess any web interface to determine if weak passwords are allowed
  • Assess the account lockout mechanism
  • Assess the web interface for XSS, SQLi and CSRF vulnerabilities and other web application vulnerabilities
  • Assess the use of HTTPS to protect transmitted information
  • Assess the ability to change the username and password
  • Determine if web application firewalls are used to protect web interfaces
I2: Insufficient Authentication/Authorization
  • Assess the solution for the use of strong passwords where authentication is needed
  • Assess the solution for multi-user environments and ensure it includes functionality for role separation
  • Assess the solution for Implementation two-factor authentication where possible
  • Assess password recovery mechanisms
  • Assess the solution for the option to require strong passwords
  • Assess the solution for the option to force password expiration after a specific period
  • Assess the solution for the option to change the default username and password
I3: Insecure Network Services
  • Assess the solution to ensure network services don't respond poorly to buffer overflow, fuzzing or denial of service attacks
  • Assess the solution to ensure test ports are are not present
I4: Lack of Transport Encryption
  • Assess the solution to determine the use of encrypted communication between devices and between devices and the internet
  • Assess the solution to determine if accepted encryption practices are used and if proprietary protocols are avoided
  • Assess the solution to determine if a firewall option available is available
I5: Privacy Concerns
  • Assess the solution to determine the amount of personal information collected
  • Assess the solution to determine if collected personal data is properly protected using encryption at rest and in transit
  • Assess the solution to determine if Ensuring data is de-identified or anonymized
  • Assess the solution to ensure end-users are given a choice for data collected beyond what is needed for proper operation of the device
I6: Insecure Cloud Interface
  • Assess the cloud interfaces for security vulnerabilities (e.g. API interfaces and cloud-based web interfaces)
  • Assess the cloud-based web interface to ensure it disallows weak passwords
  • Assess the cloud-based web interface to ensure it includes an account lockout mechanism
  • Assess the cloud-based web interface to determine if two-factor authentication is used
  • Assess any cloud interfaces for XSS, SQLi and CSRF vulnerabilities and other vulnerabilities
  • Assess all cloud interfaces to ensure transport encryption is used
  • Assess the cloud interfaces to determine if the option to require strong passwords is available
  • Assess the cloud interfaces to determine if the option to force password expiration after a specific period is available
  • Assess the cloud interfaces to determine if the option to change the default username and password is available
I7: Insecure Mobile Interface
  • Assess the mobile interface to ensure it disallows weak passwords
  • Assess the mobile interface to ensure it includes an account lockout mechanism
  • Assess the mobile interface to determine if it Implements two-factor authentication (e.g Apple's Touch ID)
  • Assess the mobile interface to determine if it uses transport encryption
  • Assess the mobile interface to determine if the option to require strong passwords is available
  • Assess the mobile interface to determine if the option to force password expiration after a specific period is available
  • Assess the mobile interface to determine if the option to change the default username and password is available
  • Assess the mobile interface to determine the amount of personal information collected
I8: Insufficient Security Configurability
  • Assess the solution to determine if password security options (e.g. Enabling 20 character passwords or enabling two-factor authentication) are available
  • Assess the solution to determine if encryption options (e.g. Enabling AES-256 where AES-128 is the default setting) are available
  • Assess the solution to determine if logging for security events is available
  • Assess the solution to determine if alerts and notifications to the user for security events are available
I9: Insecure Software/Firmware
  • Assess the device to ensure it includes update capability and can be updated quickly when vulnerabilities are discovered
  • Assess the device to ensure it uses encrypted update files and that the files are transmitted using encryption
  • Assess the device to ensure is uses signed files and then validates that file before installation
I10: Poor Physical Security
  • Assess the device to ensure it utilizes a minimal number of physical external ports (e.g. USB ports) on the device
  • Assess the device to determine if it can be accessed via unintended methods such as through an unnecessary USB port
  • Assess the device to determine if it allows for disabling of unused physical ports such as USB
  • Assess the device to determine if it includes the ability to limit administrative capabilities to a local interface only

General Recommendations

Consider the following recommendations for all user interfaces (local device, cloud-based and mobile):

  • Avoid potential Account Harvesting issues by:
    • Ensuring valid user accounts can't be identified by interface error messages
    • Ensuring strong passwords are required by users
    • Implementing account lockout after 3 - 5 failed login attempts


Retrieved from "https://wiki.owasp.org/index.php?title=OWASP_Internet_of_Things_Project&oldid=198577"